2026-01-08 01:06:09 +01:00
---
2026-03-18 15:44:08 -07:00
summary: “Per-agent sandbox + tool restrictions, precedence, and examples”
2026-01-08 01:06:09 +01:00
title: Multi-Agent Sandbox & Tools
2026-03-18 15:44:08 -07:00
read_when: “You want per-agent sandboxing or per-agent tool allow/deny policies in a multi-agent gateway.”
2026-01-08 01:06:09 +01:00
status: active
---
2026-01-07 11:59:16 +01:00
# Multi-Agent Sandbox & Tools Configuration
2026-03-18 15:44:08 -07:00
Each agent in a multi-agent setup can override the global sandbox and tool
policy. This page covers per-agent configuration, precedence rules, and
examples.
2026-01-07 11:59:16 +01:00
2026-03-18 15:44:08 -07:00
- **Sandbox backends and modes**: see [Sandboxing ](/gateway/sandboxing ).
- **Debugging blocked tools**: see [Sandbox vs Tool Policy vs Elevated ](/gateway/sandbox-vs-tool-policy-vs-elevated ) and `openclaw sandbox explain` .
- **Elevated exec**: see [Elevated Mode ](/tools/elevated ).
2026-01-15 04:41:38 +00:00
2026-03-18 15:44:08 -07:00
Auth is per-agent: each agent reads from its own `agentDir` auth store at
`~/.openclaw/agents/<agentId>/agent/auth-profiles.json` .
2026-01-15 04:41:38 +00:00
Credentials are **not ** shared between agents. Never reuse `agentDir` across agents.
If you want to share creds, copy `auth-profiles.json` into the other agent's `agentDir` .
2026-01-07 11:59:16 +01:00
---
## Configuration Examples
### Example 1: Personal + Restricted Family Agent
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "main" ,
"default" : true ,
2026-01-07 11:59:16 +01:00
"name" : "Personal Assistant" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-09 12:44:23 +00:00
"sandbox" : { "mode" : "off" }
2026-01-07 11:59:16 +01:00
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "family" ,
2026-01-07 11:59:16 +01:00
"name" : "Family Bot" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-family" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
"mode" : "all" ,
"scope" : "agent"
} ,
"tools" : {
"allow" : [ "read" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" , "process" , "browser" ]
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
]
} ,
"bindings" : [
{
"agentId" : "family" ,
"match" : {
"provider" : "whatsapp" ,
"accountId" : "*" ,
"peer" : {
"kind" : "group" ,
"id" : "120363424282127706@g.us"
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
}
]
2026-01-07 11:59:16 +01:00
}
```
**Result: **
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- `main` agent: Runs on host, full tool access
- `family` agent: Runs in Docker (one container per agent), only `read` tool
---
### Example 2: Work Agent with Shared Sandbox
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "personal" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-personal" ,
2026-01-07 11:59:16 +01:00
"sandbox" : { "mode" : "off" }
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "work" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-work" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
"mode" : "all" ,
"scope" : "shared" ,
"workspaceRoot" : "/tmp/work-sandboxes"
} ,
"tools" : {
2026-01-12 03:42:49 +00:00
"allow" : [ "read" , "write" , "apply_patch" , "exec" ] ,
2026-01-07 11:59:16 +01:00
"deny" : [ "browser" , "gateway" , "discord" ]
}
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
---
2026-01-13 06:28:15 +00:00
### Example 2b: Global coding profile + messaging-only agent
``` json
{
"tools" : { "profile" : "coding" } ,
"agents" : {
"list" : [
{
"id" : "support" ,
"tools" : { "profile" : "messaging" , "allow" : [ "slack" ] }
}
]
}
}
```
**Result: **
2026-01-31 21:13:13 +09:00
2026-01-13 06:28:15 +00:00
- default agents get coding tools
- `support` agent is messaging-only (+ Slack tool)
---
2026-01-07 11:59:16 +01:00
### Example 3: Different Sandbox Modes per Agent
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"defaults" : {
"sandbox" : {
2026-01-31 21:13:13 +09:00
"mode" : "non-main" , // Global default
2026-01-09 12:44:23 +00:00
"scope" : "session"
}
} ,
"list" : [
{
"id" : "main" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
2026-01-31 21:13:13 +09:00
"mode" : "off" // Override: main never sandboxed
2026-01-07 11:59:16 +01:00
}
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "public" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-public" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
2026-01-31 21:13:13 +09:00
"mode" : "all" , // Override: public always sandboxed
2026-01-07 11:59:16 +01:00
"scope" : "agent"
} ,
"tools" : {
"allow" : [ "read" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" ]
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
---
## Configuration Precedence
2026-01-09 12:44:23 +00:00
When both global (`agents.defaults.*` ) and agent-specific (`agents.list[].*` ) configs exist:
2026-01-07 11:59:16 +01:00
### Sandbox Config
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
Agent-specific settings override global:
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
```
2026-01-09 12:44:23 +00:00
agents.list[].sandbox.mode > agents.defaults.sandbox.mode
agents.list[].sandbox.scope > agents.defaults.sandbox.scope
agents.list[].sandbox.workspaceRoot > agents.defaults.sandbox.workspaceRoot
agents.list[].sandbox.workspaceAccess > agents.defaults.sandbox.workspaceAccess
agents.list[].sandbox.docker.* > agents.defaults.sandbox.docker.*
agents.list[].sandbox.browser.* > agents.defaults.sandbox.browser.*
agents.list[].sandbox.prune.* > agents.defaults.sandbox.prune.*
2026-01-07 11:59:16 +01:00
```
2026-01-08 01:06:09 +01:00
**Notes: **
2026-01-31 21:13:13 +09:00
2026-01-09 12:44:23 +00:00
- `agents.list[].sandbox.{docker,browser,prune}.*` overrides `agents.defaults.sandbox.{docker,browser,prune}.*` for that agent (ignored when sandbox scope resolves to `"shared"` ).
2026-01-07 11:59:16 +01:00
### Tool Restrictions
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
The filtering order is:
2026-01-31 21:13:13 +09:00
2026-01-13 06:28:15 +00:00
1. **Tool profile ** (`tools.profile` or `agents.list[].tools.profile` )
2026-01-13 09:59:36 +00:00
2. **Provider tool profile ** (`tools.byProvider[provider].profile` or `agents.list[].tools.byProvider[provider].profile` )
3. **Global tool policy ** (`tools.allow` / `tools.deny` )
4. **Provider tool policy ** (`tools.byProvider[provider].allow/deny` )
5. **Agent-specific tool policy ** (`agents.list[].tools.allow/deny` )
6. **Agent provider policy ** (`agents.list[].tools.byProvider[provider].allow/deny` )
7. **Sandbox tool policy ** (`tools.sandbox.tools` or `agents.list[].tools.sandbox.tools` )
8. **Subagent tool policy ** (`tools.subagents.tools` , if applicable)
2026-01-07 11:59:16 +01:00
Each level can further restrict tools, but cannot grant back denied tools from earlier levels.
2026-01-09 12:44:23 +00:00
If `agents.list[].tools.sandbox.tools` is set, it replaces `tools.sandbox.tools` for that agent.
2026-01-13 06:28:15 +00:00
If `agents.list[].tools.profile` is set, it overrides `tools.profile` for that agent.
2026-04-04 07:27:21 +01:00
Provider tool keys accept either `provider` (e.g. `google-antigravity` ) or `provider/model` (e.g. `openai/gpt-5.4` ).
2026-01-07 11:59:16 +01:00
2026-03-18 15:44:08 -07:00
Tool policies support `group:*` shorthands that expand to multiple tools. See [Tool groups ](/gateway/sandbox-vs-tool-policy-vs-elevated#tool-groups-shorthands ) for the full list.
2026-01-31 21:13:13 +09:00
2026-03-18 15:44:08 -07:00
Per-agent elevated overrides (`agents.list[].tools.elevated` ) can further restrict elevated exec for specific agents. See [Elevated Mode ](/tools/elevated ) for details.
2026-01-08 22:57:08 +01:00
2026-01-07 11:59:16 +01:00
---
## Migration from Single Agent
**Before (single agent): **
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"defaults" : {
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-09 12:44:23 +00:00
"sandbox" : {
"mode" : "non-main"
}
}
} ,
"tools" : {
2026-01-07 11:59:16 +01:00
"sandbox" : {
"tools" : {
2026-01-12 03:42:49 +00:00
"allow" : [ "read" , "write" , "apply_patch" , "exec" ] ,
2026-01-07 11:59:16 +01:00
"deny" : [ ]
}
}
}
}
```
**After (multi-agent with different profiles): **
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "main" ,
"default" : true ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-09 12:44:23 +00:00
"sandbox" : { "mode" : "off" }
2026-01-07 11:59:16 +01:00
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
2026-01-30 03:15:10 +01:00
Legacy `agent.*` configs are migrated by `openclaw doctor` ; prefer `agents.defaults` + `agents.list` going forward.
2026-01-07 11:59:16 +01:00
---
## Tool Restriction Examples
### Read-only Agent
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
"tools" : {
"allow" : [ "read" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" , "process" ]
2026-01-07 11:59:16 +01:00
}
}
```
### Safe Execution Agent (no file modifications)
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
"tools" : {
2026-01-12 02:49:55 +00:00
"allow" : [ "read" , "exec" , "process" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "write" , "edit" , "apply_patch" , "browser" , "gateway" ]
2026-01-07 11:59:16 +01:00
}
}
```
### Communication-only Agent
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
"tools" : {
2026-02-16 03:43:51 +01:00
"sessions" : { "visibility" : "tree" } ,
2026-01-09 23:35:35 +00:00
"allow" : [ "sessions_list" , "sessions_send" , "sessions_history" , "session_status" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" , "read" , "browser" ]
2026-01-07 11:59:16 +01:00
}
}
```
2026-04-04 19:26:37 +01:00
`sessions_history` in this profile still returns a bounded, sanitized recall
view rather than a raw transcript dump. Assistant recall strips thinking tags,
2026-04-04 21:52:10 +01:00
`<relevant-memories>` scaffolding, plain-text tool-call XML payloads
2026-04-04 22:21:26 +01:00
(including `<tool_call>...</tool_call>` ,
`<function_call>...</function_call>` , `<tool_calls>...</tool_calls>` ,
`<function_calls>...</function_calls>` , and truncated tool-call blocks),
downgraded tool-call scaffolding, leaked ASCII/full-width model control
tokens, and malformed MiniMax tool-call XML before redaction/truncation.
2026-04-04 19:20:34 +01:00
2026-01-07 11:59:16 +01:00
---
2026-01-09 03:23:36 +01:00
## Common Pitfall: "non-main"
2026-01-09 12:44:23 +00:00
`agents.defaults.sandbox.mode: "non-main"` is based on `session.mainKey` (default `"main"` ),
2026-01-09 03:23:36 +01:00
not the agent id. Group/channel sessions always get their own keys, so they
are treated as non-main and will be sandboxed. If you want an agent to never
2026-01-09 12:44:23 +00:00
sandbox, set `agents.list[].sandbox.mode: "off"` .
2026-01-09 03:23:36 +01:00
---
2026-01-07 11:59:16 +01:00
## Testing
After configuring multi-agent sandbox and tools:
1. **Check agent resolution: **
2026-01-31 21:13:13 +09:00
2026-01-12 02:49:55 +00:00
```exec
2026-01-30 03:15:10 +01:00
openclaw agents list --bindings
2026-01-07 11:59:16 +01:00
` ``
2. **Verify sandbox containers:**
2026-01-31 21:13:13 +09:00
2026-01-12 02:49:55 +00:00
` ``exec
2026-01-30 03:15:10 +01:00
docker ps --filter "name=openclaw-sbx-"
2026-01-07 11:59:16 +01:00
` ``
3. **Test tool restrictions:**
- Send a message requiring restricted tools
- Verify the agent cannot use denied tools
4. **Monitor logs:**
2026-02-06 10:08:59 -05:00
2026-01-12 02:49:55 +00:00
` ``exec
2026-01-30 03:15:10 +01:00
tail -f "${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/logs/gateway.log" | grep -E "routing|sandbox|tools"
2026-01-07 11:59:16 +01:00
` ``
---
## Troubleshooting
### Agent not sandboxed despite ` mode: "all"`
2026-01-31 21:13:13 +09:00
2026-01-09 12:44:23 +00:00
- Check if there's a global ` agents.defaults.sandbox.mode` that overrides it
- Agent-specific config takes precedence, so set ` agents.list[].sandbox.mode: "all"`
2026-01-07 11:59:16 +01:00
### Tools still available despite deny list
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- Check tool filtering order: global → agent → sandbox → subagent
- Each level can only further restrict, not grant back
- Verify with logs: ` [tools] filtering tools for agent:${agentId}`
### Container not isolated per agent
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- Set ` scope: "agent"` in agent-specific sandbox config
- Default is ` "session"` which creates one container per session
---
2026-03-18 15:44:08 -07:00
## See also
2026-01-07 11:59:16 +01:00
2026-03-18 15:44:08 -07:00
- [Sandboxing ](/gateway/sandboxing ) -- full sandbox reference (modes, scopes, backends, images)
- [Sandbox vs Tool Policy vs Elevated ](/gateway/sandbox-vs-tool-policy-vs-elevated ) -- debugging "why is this blocked?"
- [Elevated Mode ](/tools/elevated )
2026-01-07 11:59:16 +01:00
- [Multi-Agent Routing ](/concepts/multi-agent )
2026-03-22 15:47:09 -07:00
- [Sandbox Configuration ](/gateway/configuration-reference#agentsdefaultssandbox )
2026-01-07 11:59:16 +01:00
- [Session Management ](/concepts/session )